Virtualization Technology News and Information
Article
RSS
Keyfactor 2024 Predictions: What business leaders need to know about PQC, IoT, and AI security

vmblog-predictions-2024 

Industry executives and experts share their predictions for 2024.  Read them in this 16th annual VMblog.com series exclusive.

What business leaders need to know about PQC, IoT, and AI security

With 2023 coming to a close, we're rapidly approaching a new era of security. In the past year, generative AI has taken the world by storm, touching nearly every aspect of our personal and professional lives in one way or another. Connected devices continue to blend the physical and digital worlds in exciting new ways as more product designers, equipment manufacturers, and businesses adopt IoT technology than ever before. And, 2024 also marks the year that NIST's three new algorithms will be expected to be ready for use, at which point organizations around the world can start integrating them into their encryption infrastructure.

These developments - while exciting - add to the complexity of our current security landscape. As we charge ahead into the new year, it will be important for businesses leaders to educate themselves on what's next in these three spheres - post-quantum computing (PQC), IoT, and AI - so they can take the steps needed to protect their business, their people, and their consumers as the security landscape continues to evolve.

Read on for the top predictions and trends from three eminent thought leaders at Keyfactor - Chris Hickman, the company's CSO, on adopting new PQC algorithms; Ellen Boehm, SVP of IoT Strategy and Operations, on preparing for stronger IoT device security; and Ryan Sanders, Sr. Director of Product and Strategy, on ensuring authenticity as AI-generated content becomes more engrained in our daily lives.

Chris Hickman, CSO, Keyfactor:

Significant planning and testing will be needed to adopt new PQC algorithms 

One of the biggest concerns with quantum computing is its potential to break cryptography. Luckily, NIST plans to finalize standardized PQC algorithms in early 2024. But organizations need to remember that this marks just the starting line for PQC algorithms. Once the algorithms become standardized - then products, developers and everyone can start using them with some confidence that they are supported to protect cryptography in a post quantum world. It should also allow for greater interoperability. However, organizations will need to undergo significant testing and planning to adopt these new algorithms, as they differ entirely from the ones currently used in asymmetric cryptography.  

Quantum ready cryptography will also require longer key sizes. This is a concern because many of today's devices have limited memory and/or processing resources.  

In 2024, organizations must start planning and testing to adopt NIST's new PQC algorithms. Additionally, they must begin assessments on how prepared the entire supply chain for their organization is/will be, which is equally important. It will be imperative for security assessments and vendor audits to begin taking PQC into account.

Ellen Boehm, SVP, IoT Strategy and Operations, Keyfactor:

U.S. Cyber Trust Mark is a big step in preventing cyberattacks on smart devices 

As we creep closer to the launch date of the U.S. Cyber Trust Mark labeling program, which is expected to launch in 2024, we're taking a big step as an industry in helping Americans more easily choose smart devices that are safer and less vulnerable to cyberattacks. While there are still some concerns about the scope and implementation of the new program, it is a step in the right direction. With this labeling program, we're acknowledging that there is a gap in cybersecurity awareness and we need to make consumers more aware of risks.  

As consumers, when we make a purchase, we expect a certain level of quality and safety in our products. This consumer expectation also holds true for the security protocols embedded inside the smart home tech and connected devices they choose to use. As with any new program there will be iterations, but the launch provides a starting point for this very important conversation to happen, which will in turn start to drive more awareness of the security of our smart devices on a national level for US consumers.

Cryptography will become essential to ensure the integrity of IoT devices 

Similar to how AI has accelerated marketing content, AI will help developers iterate faster on designs and innovate features that might not have been possible through standard methods.  The challenge with using any AI engine always comes back to proving the origin, authenticity, and record of how code has changed over time. This is where the new security vulnerabilities could be introduced into IoT products, if AI-based code development leverages an unknown source.  

Establishing PKI-based trust and using proper code signing will be crucial. PKI ensures data confidentiality through advanced encryption techniques, providing the essential backbone of internet security, while code signing is one form of these cryptographic methods developers can use to prove that a piece of software is authentic. By digitally signing apps, software, or embedded firmware with a private key, the proof is provided to end-users that the code originates from a trusted and legitimate source and that it hasn't been tampered with since it was published. Combined, PKI and code signing are the most effective security measures to ensure the integrity of devices from activation through firmware and software updates. 

Establishing crypto-agile processes for long-lived IoT devices today will be necessary to prepare for future threats 

Post quantum cryptography (PQC) is going to change the way that we look at underlying cryptography and how we encrypt our devices - both in the enterprise and in IoT. It's important for IoT OEMs and operators to understand the implications of the design of their products and systems to be able to be flexible to implement strong security today with classical algorithms, while at the same time being prepared to switch to post quantum crypto when available. For long-lived devices that are going into operation today, OEMs will need to focus on establishing processes that will enable them to become crypto-agile - meaning they can ensure a rapid response to a cryptographic threat. Only IoT developers who possess crypto-agility will be prepared for the future changing landscape. 

Ryan Sanders, Sr. Director of Product and Strategy, Keyfactor:

To ensure AI-generated content and code authenticity, digital signatures will become critical 

Like any disruptive technology, AI is a double-edged sword. AI has been around for a long time; the difference now is one word: availability. Any new technology is initially expensive, not widely available, and sometimes, too complex for the average person. Generative AI and large language models were the accelerators that overcame these hurdles, making AI affordable, usable and accessible to everyone. That's where the problems come in. There's no standard (yet) for how AI should be used, what AI should have access to, and how to prevent misuse. AI can be a co-pilot or assistant for cybersecurity teams, helping them work more efficiently and make better sense of the flood of alerts and risk warnings they deal with on a daily basis. On the other hand, AI can be used to produce fraudulent images or videos, accelerate malware production, or even take DDoS attacks to the next level by enabling AI-powered bots to do the dirty work.  

One area where we're most concerned when it comes to AI is content and code authenticity. In a world where AI is accessible to all, how do you know if an image or video was produced by a human or AI? How do you know if it's been augmented? How do you know when and where it was taken? All of these are important questions, particularly in the face of recent conflicts, which have raised questions about authenticity, and show the dangers of potential misinformation or even disinformation via content that spreads like wildfire on social media. The same also applies to software development. If teams augment development with AI, how do you know the source of your code? How do you know if it's been tampered with or altered?

Digital signatures are one of the best current methods to prove the origin and authenticity of images and videos, as well as to prove the integrity and authenticity of code. All of these - images, videos, and software - are intellectual property that must be protected. We're now living in a world where we can't immediately trust what we see and hear. Everything must be verified. Authenticity is the key to establishing trust in an otherwise untrusting world.

##

ABOUT THE AUTHORS

Chris Hickman

Chris Hickman 

Chris Hickman is CSO at Keyfactor. As a member of the senior management team, Chris is responsible for establishing & maintaining Keyfactor's leadership position as a world-class, technical organization with deep security industry expertise. 

Ellen Boehm

Ellen Boehm 

Ellen Boehm is SVP of IoT strategy and operations at Keyfactor. She has over 15 years' experience in leading new product development with a focus on IoT and connected products in lighting controls, smart cities, connected buildings and smart home technology. 

Ryan Sanders

Ryan Sanders 

Ryan Sanders is senior director of product and strategy at Keyfactor. Ryan is passionate about cybersecurity and actively analyzes the latest compliance mandates, market trends, and industry best practices related to public key infrastructure (PKI) and digital certificates. Based in Toronto, Ryan has been an integral member of the Keyfactor team for five years.

Published Thursday, January 04, 2024 7:36 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<January 2024>
SuMoTuWeThFrSa
31123456
78910111213
14151617181920
21222324252627
28293031123
45678910